The complexity of data protection laws (with Infographic)

The challenges that lie ahead of the data protection laws in India have again become visible as the Srikrishna Committee submitted its report. While Europe’s GDPR has been occasionally critiqued as too harsh, the Indian Union Minister for Law Ravi Shankar Prasad expressed hope that India’s data protection law “should be a blend of security, safety, privacy and innovation and a model for the whole world.”

In order to better understand data protection laws in India, it’d be worthwhile to understand data protection itself and why it’s a great deal more complex than it probably any law every framed.

Explosion of data storage and processing capacity

Imagine the number of rooms required to physically store a single copy of all the newspaper published the world over in just year. If the same were to be stored digitally, all you would need an external hard disk that could easily fit in a large palm.

The explosion of data storage capacity in the past two decades has changed so many things. The kind of data storage that, just 50 years back, was a near-monopoly of government and huge organizations has reached the hands of almost every individual who has access to a computer or even a smartphone.

According to one study, the per-capita capacity to store data has roughly doubled every 40 months since 1980.

This growth has made data collection, storage, processing and sharing of data arguably the most serious discussion today. Little wonder data protection laws are a necessity.

Why we need data protection laws

Data is both a tool and a weapon.

Organizations use data to sell stuff. But there’s a lot more that can be done with data.

Data analytics today has gone far ahead of mere conjectures and estimates. Data originating from multiple and highly reliable sources can build highly dependable patterns. What makes it truly formidable is the extremely complex web that’s built around data.

To jump straight to the infographic, scroll right to the bottom of this post.

Consider a day in the life of an average ‘connected’ individual Kathy. Upon waking up, Kathy turns to her tab or her smart phone to check the day’s news or message notifications – data of the kind of news she accesses is recorded.

A little later, she walks into a coffee joint and orders coffee and breakfast – her food habits are recorded. She makes her payment using a card – her transactions are recorded. Next, she calls for a taxi through a taxi-service aggregator – the data of her origin and destination are recorded.

In office, Kathy relies on email and phone calls – the basic information of each of these two is recorded. During her lunch break, she takes time out to order some grocery from an online store – her preferences, spending patterns and spending capacity is recorded.

Data is used to profile people – too closely

Note that every time the data went to a different service provider: a service provider who provided data and voice services, a credit-card company, a taxi-aggregator, a coffee joint, an ecommerce website and so on. What is important, however, that this data could be potentially shared.

And then you could profile and predict what Kathy will do next. And then you slowly can alter the kind of things she sees on her phone or tab. Subtly, you could begin to influence her choices, her preferences, her purchasing patterns. And her political leanings. And the party she votes for.

Data, in short, can be used to form patterns, predict behavior, influence decisions, deliver better governance, rig elections, discriminate against people and pretty much everything else.

No wonder data protection laws are complex.

The four pillars of data collection and processing that impact data protection laws

The way data is collected and processed is complex and distributed. Here are the four pillars to data collection and processing.

Robotics and automation:

Collecting data from every source available is at least partly handled by robots. Collating data from diverse locations like websites and point of sale present a degree of complexity that only automation can handle. Human efforts in collecting and tabulating the data would be both inadequate and extremely slow.

Data protection laws in India, if they wish to be effective, will have to first closely examine the way data is collected.

Internet of Things (IoT):

IoT is today no longer a fad. For instance, Vodafone, one of India’s leading cellular services provider is betting heavily on IoT.

As more and devices get connected through IoT, data collection becomes more comprehensive. Earlier, data was supplied only by your cellphone, today your TV, your refrigerator and possibly even your bread toaster can share data about you – as long as they are IoT enabled.

While robotics present the capacity to collect data, increasing IoT provides the multiple devices from which data can be harvested.

Big Data:

Any discussion of data protection laws in India, or anywhere else, is pretty much meaningless without referencing Big Data. The rapid rise in storage and processing capacity of computers over the past two decades has made Big Data possible.

Velocity: The speed with which new data gets added cannot be handled by anything other than the gargantuan Big Data system.

Variety: There’s so many types of data that anything else simply cannot handle the mind-boggling variety of data coming in.

Artificial Intelligence:

Artificial Intelligence (AI) has the capacity to establish correlations, discover patterns and make predictions of likely future behavior of data subjects. AI is becoming eerily accurate.

Any predictive system, no matter how advanced, is only as good as the quality of data it had been fed with. The accuracy of the predictions that AI can churn out largely depends upon a fourth ‘V’ for Big Data: Veracity.

AI is growing increasingly capable of analyzing nearly endless data. And that’s where the one of the biggest challenge to data protection laws in India lies. Because AI uses multiple, almost countless, sources as its data points, detecting breach or non-compliance – or even ethical issues – will be one a big headache.

All the data so collected and processed can be made available to the public and private sector, subject to the extant rules.